Hi, I have struggled with this in the past as well, thankfully only on a test system but with the intent one day of putting something into production once the business agreed it was a worthy alternative.
We are getting closer to that agreement now and your work and posting this awesome how-to has just helped bridge one of the small gaps. I have tested this using also a GoDaddy certificate and it works flawlessly. I think this information should be added to the appropriate wiki so that even more people can benefit. Thanks Jeff Regards, Grant From: sipx-users-boun...@list.sipfoundry.org [mailto:sipx-users-boun...@list.sipfoundry.org] On Behalf Of Jeff Gilmore Sent: Sunday, 17 January 2010 2:54 p.m. To: sipx-users@list.sipfoundry.org Subject: Re: [sipx-users] SSL Cert help On Jan 16, 2010, at 5:38 PM, Tony Graziano wrote: What does sipxproc -state Tell you? /usr/lib/ruby/1.8/net/http.rb:586:in `connect': certificate verify failed (OpenSSL::SSL::SSLError) from /usr/lib/ruby/1.8/net/http.rb:586:in `connect' from /usr/lib/ruby/1.8/net/http.rb:553:in `do_start' from /usr/lib/ruby/1.8/net/http.rb:542:in `start' from /usr/lib/ruby/1.8/net/http.rb:1035:in `request' from /usr/lib/ruby/1.8/net/http.rb:992:in `post2' from /usr/lib/ruby/1.8/xmlrpc/client.rb:535:in `do_rpc' from /usr/lib/ruby/1.8/xmlrpc/client.rb:420:in `call2' from /usr/lib/ruby/1.8/xmlrpc/client.rb:410:in `call' from /usr/bin/sipxproc:267 I redid the whole procedure from scratch, with a slightly different procedure using info gleaned from the text shown with /usr/bin/ssl-cert/gen-ssl-keys.sh (In all instructions below, replace "myhost.mydomain" with the fully qualified domain name of your own server): 1. First I made a new empty dir, and CDed to it. 2, I copied /usr/bin/ssl-cert/gen-ssl-keys.sh to this dir. 3. I edited gen-ssl-keys.sh and changed the line "ServerKeyBits=1024" to "ServerKeyBits=2048" 4. I ran ./gen-ssl-keys.sh --csr and answered the prompts with country, state, etc. 5. I cat'ed resulting myhost.mydomain.csr file, and copied the text to paste it into the GoDaddy CSR request on their website. 6. GoDaddy liked that fine, and I was then able to download a certificate. I chose "Apache" as the format, and it returned both a myserver.mydomain.crt and a gd_bundle.crt file in a zip file. I copied both of these to my directory on the sipx server. 7. One of the problems I saw earlier was an error regarding the Java keystore when doing the next step that actually installs the keys. To avoid this, I ran gen-ssl-keys.sh again with the --convert-crt2jks option: gen-ssl-keys.sh --convert-crt2jks myhost.mydomain 8. I then ran /usr/bin/ssl-cert/install-cert.sh myhost.mydomain.key. It seemed to operate without error. 9. I restarted sipx with server sipxecs restart 10. I tested in some web browsers. I only have tested on Macs so far; Firefox seems to accept the certificate, Safari complains that the certificate was signed by an unknown authority. I read on the web that other Safari users have had this problem on Safari. So things seem to work for me, but I still need to do more testing on Windows and Linux. I'd like to fix Safari too, if I can figure it out, as GoDaddy claims it should work. I'm not sure what the command above that Tony had me run actually means--it seems to indicate a problem. Jeff
_______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
